Four Pillars: Trusting information

The latest New Scientist has an article covering some of the discussions at CHI in Montreal recently. And for once it’s not a premium article, so I can link to it here.

It worries me, but for all the wrong reasons.

First, the headline: “Mashup” websites are a hacker’s dream come true. Most mashups are derivative sites and could perhaps reflect the so-called security weaknesses of the originating sites. Sounds like someone trying to sell me more Information Security consulting. I gave at the office.
Then, take a quote like this:

However, the informal manner in which these websites are thrown together means that information displayed on them could be inaccurate or false. Issues such as security and privacy may only be considered as an afterthought, if at all, and there is nothing to prevent people using them to obtain personal information, such as addresses…..

My impression is that mashups work for a number of reasons: they’re easy and cheap and cheerful to create, the hoops to jump through are kept at a minimum; the information they derive teaches us new things or gives us new pleasure or helps us do new things; they are created and co-created by people who love asking Why Not? as well as Why? If these sites can get hold of addresses or other personal information, much of the time it means the information was cleartext opensource available in the first place.

Carry on with a quote like this:

The worry is that mashups could be an accident waiting to happen, according to some delegates at the Computer-Human Interaction conference in Montreal, Canada, last month. Hart Rossman, chief security technologist for Science Applications International of Vienna, Virginia, and adviser to the US Department of Defense, warned that developers of these websites are not taking issues such as data integrity, system security and privacy seriously enough.

…..and it carries on: Central to the problem is the fact that the mashup developer does not own the data being mashed, while the owner neither knows nor cares that their data is being used.
Let me guess who said it. Oh yes, a chief security technologist. Why am I not surprised?

I think this is important. I don’t want to see phrases like “not taking issues such as data integrity, system security and privacy seriously enough”. That’s scaremongering. Selling security consulting. And there’s some of the Emperor’s New Clothes as well. As if these issues were perfectly dealt with before mashups came along. Yeah right.

Read the rest of the article for yourself. There are some very useful bits, but far too much head-in-the-sand-ness for me.

Privacy and security and data integrity are important all right. As are identity and authentication and permissioning which take up the same space.

We need to ensure that the weeds of DRM are not allowed to choke the mashup flowers. Let a thousand mashup flowers bloom. We need new answers to identity and access, but we are not going to get them by constraining new ways of doing things with old ways of stopping things.